From 2f9574850b356a746ee3ff9a8a311c450784b53c Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sat, 16 May 2020 18:26:53 +0200 Subject: MX: Install OpenDMARC to add Authentication-Results headers. On the infrastructure boundary. We don't reject/quarantine as it would affect members who forward their mail sent to to . Members can install Sieve rules to send any messages with failed Authentication-Results headers directly in their spambox. --- .../systemd/system/opendmarc.service.d/override.conf | 17 +++++++++++++++++ roles/MX/files/etc/systemd/system/opendmarc.socket | 10 ++++++++++ 2 files changed, 27 insertions(+) create mode 100644 roles/MX/files/etc/systemd/system/opendmarc.service.d/override.conf create mode 100644 roles/MX/files/etc/systemd/system/opendmarc.socket (limited to 'roles/MX/files/etc/systemd/system') diff --git a/roles/MX/files/etc/systemd/system/opendmarc.service.d/override.conf b/roles/MX/files/etc/systemd/system/opendmarc.service.d/override.conf new file mode 100644 index 0000000..1fb5567 --- /dev/null +++ b/roles/MX/files/etc/systemd/system/opendmarc.service.d/override.conf @@ -0,0 +1,17 @@ +[Service] +Type=simple +User=opendmarc +ExecStart= +ExecStart=/usr/sbin/opendmarc -f -p fd:3 +StandardOutput=journal +SyslogFacility=mail +RuntimeDirectory=opendmarc + +# Hardening +NoNewPrivileges=yes +PrivateDevices=yes +ProtectHome=yes +ProtectSystem=strict +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes diff --git a/roles/MX/files/etc/systemd/system/opendmarc.socket b/roles/MX/files/etc/systemd/system/opendmarc.socket new file mode 100644 index 0000000..483ef60 --- /dev/null +++ b/roles/MX/files/etc/systemd/system/opendmarc.socket @@ -0,0 +1,10 @@ +[Unit] +Description=OpenDMARC Milter activation socket + +[Socket] +ListenStream=/var/spool/postfix-mx/public/opendmarc +SocketUser=postfix +SocketMode=0666 + +[Install] +WantedBy=sockets.target -- cgit v1.2.3